Our current Data Controller is our Managing Director, Christian Fleming. He can be contacted on 01903 259923 or by email on email@example.com. He can also be reached by post at Unit 6, Winston Business Centre, 43 Chartwell Road, Lancing. West Sussex. BN15 8TU.
We only gather personal data to carry out our marketing and maintain contractual obligations, whether that be to our employees or our customers. This data falls into different categories which are broken down in our Retention Policy.
The document is divided up into the following sections:
Any queries from Northstar staff, consultants, suppliers or customers should be directed to the Managing Director.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Data Gathering & Holding Consent Policy
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
We never divulge data to 3rd parties unless they are paid consultants used in the operations of this company, or delivery addresses supplied to a supplier for a direct delivery. Any person or company can withdraw their consent for us to hold their data, unless it contravenes our ability to maintain that contract, for example as an employee or our ability to provide that service to a client. If a request to destroy data is received and contravenes that ability, we will advise that the person or company involves has the option to terminate a contract, within defined terms.
You can opt out of any marketing activities carried out by the company at any time, by contacting the data controller or clicking on an opt-out link included on the marketing email. You can also request this if you contact by telephone.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Before providing support, cloud or installation services we will ensure all clients sign a Northstar IT engagement agreement. In this document consent will be sought to hold their information which enables us to provide our service, along with permission to contact them for account management and marketing purposes. We will not provide any service without a signed consent form. For clients that we have engaged prior to the implementation of GDPR, we will seek consent from all current clients, although we accept this will take some time to complete.
Support clients will have a specific agreement detailing what is included in their service, along with seeking the above consents.
A digitally scanned copy of a signed agreement will be stored in the client files on our server.
We do have a website with an enquiry form to gather basic contact information, with consent permissions included. This meets the legal requirements of GDPR in relation to consent to be added to our marketing lists and/or contact to replay to their enquiry.
This website is not intended for children and we do not knowingly collect data relating to children.
We may receive personal data about you from various third parties [and public sources] as set out below:
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Sales & Marketing
Before we provide any quote to a client, we will ask them for their consent to gather personal contact information as part of our quoting procedure, and enabling us to fulfil their request. We use a cloud based CRM called Pipedrive which is GDPR compliant and is based in the EU. This system holds relevant contact information for the client and information about the opportunity and sales activity around the account. This is kept as per the Data Retention Policy, and can be removed at the request of the client at any time.
In relation to marketing we use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or purchased goods or services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing. You can opt out of our marketing activities at any time.
A digitally scanned copy of any signed agreement will be stored in the client files on our private secure server.
Financial & Administration
We may receive personal data about you from various third parties [and public sources] as set out below:
As part of our recruitment activities, we gather CVs from agencies or online portals. These include personal data and are used to identify potential candidates to interview. If we invite someone in for an interview, we also request a copy of any professional qualifications and relevant ID as proof of their entitlement to work in the UK. These are retained in line with the Data Retention Policy.
Data Retention Policy
All data held and processed by the company can be divided into different categories and sub categories. We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below:
|Data Category||Sub Category||Description||Stored where?||Who has access?||Why do we process it?||Retention Time Policy||Action to be taken at the end of the period|
|HR||Job Applicants (non-successful)||CVs & Notes||Paper (locked filing cabinet) & Email||Managers & Directors||Recruitment purposes||6 months||Scheduled shredding of paper records and deleting of public folder email.|
|HR||Job Applicants (interviewed)||CVs, ID & Notes||Paper (locked filing cabinet) & email||Managers & Directors||Recruitment purposes||6 months||Scheduled shredding of paper records and deleting of public folder email.|
|HR||Employed Staff||CVs, Contact details, General HR files, payroll details, copy of driving licence||Paper (locked filing cabinet), electronic files on our private and secure server & email||Office Manager, HR Consultant, Directors.||Essential employment record keeping||7 years||Scheduled shredding of paper records and deleting of public folder email.|
|HR||User Account||Network User||Our private computer Network||Engineers, Managers, Directors.||Encrypted Active Directory (Server)||3 months||Password is reset upon departure of the staff members.|
|HR||User Mailbox||Email Mailbox||Our private computer network.||Engineers, Managers, Directors.||Follow up on any support or jobs in progress||1 year||Scheduled deletion of file.|
|Accounts||Accounts||Trading accounts||Sage, Sage backups, Sage backup on OneDrive & paper backup||Office Manager, Credit Controller,
|HMRC requirements||7 years||Scheduled maintenance of Sage to clear older records, shredding of expired paper records.|
|Active Client Data||Support Data||Technical, licencing, usernames, passwords & contact files||Paper||All staff.||Short term electronic contingency.||3 months||Scheduled Scan for electronic record keeping, then shred paper records.|
|Active Client Data||Support Data||Technical, licencing, usernames, passwords & contact files||Our private secure network||All staff.||To aid us in providing support to our clients.||3 months from notification of termination||Files are deleted from our server.|
|Dormont Client Data||Support Data||Technical, licencing, usernames, passwords & contact files||Our private secure network located & Exchange||All staff.||To aid us in handing over to a replacement service provider.||3 months from notification of termination||Scheduled shredding of paper records and deleting of Exchange data.|
|Misc Client Data||Support/Contact||General Emails||Exchange||Mailbox owner, Directors.||An audit trail for all company email communications, retained for legal reasons.||10 Years||Automated Scheduled deletion of all company emails that are in excess of 10 years old.|
|Marketing||Email Marketing Database||First & second names, contact email address, company name.||Cloud (Mailchimp)||Sales Team,
Office Manager, Directors.
|To contact clients (existing & potential).||Indefinite (unless contact opts out), then only the direct user can opt back in via verified email.||Automated removal if client unsubscribes from emails, as per PECR regulations.|
|Sales||CRM Pipedrive||Contact details, quote records.||Cloud (Pipedrive)||Sales Team,
|To track our sales processes.||Indefinite (unless client requests data to be deleted), then only the direct user can opt back in via verified email.||Upon request from a client/contact, records will be deleted from Pipedrive, as per PECR regulations.|
|Client Data||Helpdesk||Support Ticket History||Our private secure network on a SQL Database||All Staff.||To have an audit trail of our support activities, performance and build a Knowledge Base (KB) for our helpdesk.||Indefinite (this forms a structure of our working KB)||n/a|
|Client Data||Website||Contact Details||Contact Database in website||Website Design company,
|To collate details of website enquiry forms.||Maximum of 12 months.||Delete records from website history.|
Data & Privacy Protection Policy
We will take all reasonable steps to protect data that we hold, including backups, anti-virus, encryption, software security, complex passwords and physical access. Here is a breakdown of what how we protect the data we hold:
Data Transmission Policy
On occasions we have to transmit information such as usernames and passwords to clients, or authorised persons. To protect these details we will always, where possible break up those transmissions. All passwords will be transmitted via secure method such as using a website like: www.onetimesecret.com or an encrypted communications facility like WhatsApp. This formally separates the password from any useful username or URL. This will minimise the risk in transmitting access details.
All software applications we use to support clients use secure communications, such as a public SSL certificate.
All of the services we provide our clients as a “Cloud Service” are either UK or EU based. We do not transfer your personal data outside the European Economic Area (EEA).
Data Breach Policy
In the event of a breach being detected, we will take the following action:
Level One: A virus infection
Definition – A virus or malicious software infection is detected where no data has been destroyed or transmitted.
Action – All computers will be scanned for viruses, and malicious software. If a computer cannot be cleaned to a satisfactory level, we will wipe the computer and rebuild from scratch. If no proof is found of personal data leaving our network, no further action will be taken other than logging the incident in our Cyber Security Log.
Level Two: A breach of our AD security
Definition – Proof that our Active Directory (network username and password system) has been breached, either electronically or by a person where no data has been destroyed or transmitted..
Action – All user passwords will be reset. Reset all wireless passwords. Scan Entire Network with Trend. Scan all devices with our anti-malicious software tools. Log the breach in our Cyber Security Log. No further action will be taken if there is no evidence that data has been stolen.
Level Three: A breach has occurred and evidence exists that any of our data has been stolen.
Definition – Evidence has been found that suggests data has been stolen.
Action – Reset all passwords. Reset all wireless passwords. Scan entire network with our security software. Scan all devices with our anti-malicious software tools. Log the breach in our Cyber Security Log. Report the case to the Information Commissioners Office (ICO) within 72 hours.